Week Ending January 25, 2026

Developer News

SIG-Instrumentation plans to remove the apiserver_envelope_encryption_key_id_hash_total metric in Kubernetes v1.36 because it no longer worked as intended and caused API server performance issues. The information provided by this metric can be obtained by other means. The metric had earlier required API server restarts to stay accurate, which was deemed unreasonable, and SIG-Auth discussions indicated no active users relying on it.

The Kubernetes Steering Committee opened the annual SIG reporting cycle, asking SIGs to submit their annual reports by February 28.

The Kubecon EU Maintainer Summit Schedule is live! Don’t forget to register.

Release Schedule

Next Deadline: PRR Freeze, February 4

Welcome to the 1.36 Release Cycle with Release Lead Ryota and the whole release team ! We have begun work on it, which starts with the call for Enhancements. We now have a full release calendar:

• PRR Freeze: Feb. 4
• Enhancements Freeze: Feb. 11
• Code Freeze: March 18
• Docs Freeze: April 8
• Release: April 22

January patch releases are still delayed, now due to some golang security updates. They should be out soon.

Featured PRs

• 136450: DRA: support non-pod references in ReservedFor

This PR improves the robustness of the Dynamic Resource Allocation (DRA) controller by allowing it to gracefully handle non-pod references in ResourceClaim.status.reservedFor. Instead of failing and halting cleanup when encountering unknown references, the controller now skips them while continuing to clean up stale pod references. This prevents unnecessary controller failures and ensures more reliable resource lifecycle management.

• 136389: Promote KEP-5311 (Relaxed validation for Services names) to Beta

This PR promotes the RelaxedServiceNameValidation feature to Beta and enables it by default. Service names are now validated using NameIsDNSLabel(), relaxing the previous stricter rules. This makes Service naming more flexible while maintaining DNS compatibility, improving usability without compromising correctness.

KEP of the Week

KEP-127: Support User Namespaces

This KEP introduces support for Linux user namespaces in Kubernetes to improve container security. It allows processes to run as root inside pods while mapping to unprivileged users on the host, reducing the impact of container escapes. This isolation mitigates multiple high-severity vulnerabilities, including CVE-2019-5736 (runc overwrite) and other critical container escape and privilege escalation issues. Overall, user namespaces strengthen Kubernetes’ security model against both known and future threats.

This KEP graduated to beta in v1.35.

Promotions

• RelaxedServiceNameValidation to Beta

Version Updates

• cri-tools to v1.35.0
• agnhost to v2.61 and etcd to v3.6.7-0 in test manifests

Subprojects and Dependency Updates

• kubebuilder v4.11.1 improves scaffold upgrade workflows, delivers multiple CLI, Helm, and API fixes, and bumps controller-runtime, Helm, and Go dependencies.
• cloud-provider-openstack v1.35.0 adds CSI and OCCM enhancements, improves security contexts, updates Helm charts and dependencies, and bumps Kubernetes support to v1.35.
• openstack-manila-csi 2.35.0, openstack-cloud-controller-manager 2.35.0, and openstack-cinder-csi 2.35.0 release updated Helm charts for their respective OpenStack components.
• ingress-nginx helm charts 4.14.2 and 4.13.6 update the controller to v1.14.2 and v1.13.6, respectively.
• ingress-nginx controller v1.14.2 and v1.13.6 focus on image rebuilds, dependency bumps, CI updates, and documentation changes as the project moves toward retirement.
• prometheus 3.5.1 (LTS) updates docker library bumped to 28.5.2 and built with Go 1.24.11.

Shoutouts

• jberkus : Kudos to @Swathi Rao for doing a great job organizing comms to publicize the NCO.

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.